-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Feature request - MQTT Client Certificate Authentication (MTLs) #2865
Replies: 1 comment · 5 replies
-
We do support client certificate authentication by using two-way TLS. Authentication is done at the TLS level, either by our built-in TLS or by OpenSSL, WolfSSL, MbedTLS. |
Beta Was this translation helpful? Give feedback.
All reactions
-
@scaprile I'm referring to MQTT Certificate Authentication though. Are you saying you support that? |
Beta Was this translation helpful? Give feedback.
All reactions
-
This is paho mqtt implementation of client certiticate authentication |
Beta Was this translation helpful? Give feedback.
All reactions
-
I think you are confusing what a computer application does with how a communications stack works. mongoose/tutorials/mqtt/mqtt-client/main.c Lines 31 to 36 in b566b8b
just add the client cert as described in the tutorial above:
|
Beta Was this translation helpful? Give feedback.
All reactions
-
MQTT itself is handling certificate authentication to validate clients auth. Not an external application like a reverse proxy or otherwise. I'm using client certificate authentication with mqtt right now. This is what my broker configuration looks like
When the client connects to the broker it must have a CA cert, client cert and client key. Then the mqtt broker validates the client cert + client key and the client validates the certificate presented by the broker with the CA cert. This is what I'm referring to. https://www.hivemq.com/blog/mqtt-security-fundamentals-x509-client-certificate-authentication/ http://www.steves-internet-guide.com/creating-and-using-client-certificates-with-mqtt-and-mosquitto/ |
Beta Was this translation helpful? Give feedback.
All reactions
-
No, that is MQTT over TLS over TCP. and we already support that. You confuse what a computer program does with how systems and communications stacks work. See how we handle AWS https://mongoose.ws/documentation/tutorials/mqtt/mqtt-client-aws-iot/ (in addition to all linked and explained above) Furthermore, this is a one-way example, it can be done mutual/two-way by following indications above or observing the AWS tutorial. We don't connect to HiveMQ because it doesn't yet support TLS1.3, while our built-in stack is 1.3. You can also use MbedTLS or OpenSSL or WolfSSL, as I already told you. mongoose/tutorials/tcpip/pcap-driver/main.c Lines 9 to 86 in b566b8b
mongoose/tutorials/tcpip/pcap-driver/main.c Lines 172 to 175 in b566b8b
|
Beta Was this translation helpful? Give feedback.
-
I took a look at the mqtt configuration in this library and I don't see any mechanism to connect to mqtt via certificate authentication otherwise known as MTLs. Unless I'm mistaken.
This addition would greatly enhance security. It should be implemented in a way that it's optional to use but for those that have certificate authentication setup this provides additional security.
Quick background on client certificate authentication.
https://www.ibm.com/docs/en/ibm-mq/9.2?topic=authentication-mqtt-client-using-tls
I'm more familiar with the python paho mqtt implementation so I'll provide some links to those projects where I helped get MTLs support added as a reference.
jgyates/genmon#1006
bkbilly/lnxlink#87
Happy to help answer any questions on how this works if needed as well.
Beta Was this translation helpful? Give feedback.
All reactions